CIS CSC #12 – Boundary Defense

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

This control includes twelve (12) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are two (2) IG1 control and eight (8) IG2 controls. This means that, at a minimum, we want to:

• Maintain an up-to-date inventory of all of the organization’s network boundaries.
• Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries.

You can’t control what you don’t know you have, and that is why the very first sub-control you should implement is tracking all network boundaries. If you are in the early stages of implementing the CIS controls, this is likely a matter of identifying all network connections between your organization and the internet. As your security plans evolve, this may also include boundaries between different internal network segments. In a smaller organization, this can be a physical inspection, but that will not scale very well with several physically disparate locations.

The second sub-control introduces a hang up for a lot of folks when we look at not only blocking unnecessary inbound traffic, but also restricting outbound traffic to only those ports, services, and applications necessary for business operations. As your security posture matures, this same approach will apply to your internal network segments, restricting the areas an attacker can access.

Zenmap is the GUI version of Nmap. I wanted to show this video as an example of how you can perform network discovery and be presented with a graphical representation of your network. Warning: the computer-generated voice can be annoying.

Relevant News Stories

• https://www.upi.com/Top_News/US/2013/06/20/Stolen-F-35-info-could-be-a-major-problem/11621371764200/?ur3=1
• https://i-hls.com/archives/48887

Relevant Tools

Commercial	Open-Source & “Freemium”
Palo Alto Networks Firewall	Snort
Juniper Firewall	Security Onion
Fortinet FortiGate	Zeek (FKA Bro)
Cisco Firepower Firewall	Network Miner
Cisco Adaptive Security Appliance (ASA)	Wireshark
FireEye Network IPS	Tshark/TCPDump
StealthWatch (Cisco)	Moloch

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #12 page here.